fix(dpp): bind SetPriceForDirectPurchase action_id to full pricing schedule

[QuantumExplorer]

Issue being fixed or feature implemented

Same class of vote-swap vulnerability as PR #3346, but for TokenSetPriceForDirectPurchaseTransition.

The action_id only hashed minimum_purchase_amount_and_price().1 (the credit price of the lowest tier), so different pricing schedules with the same minimum-tier price produced identical action_ids. A malicious group member could propose a fair pricing schedule, collect votes, then swap to a predatory schedule.

Collision examples:

• SetPrices({1: 100, 10: 800}) vs SetPrices({1: 100, 10: 9999}) — same min price, different tiers
• SinglePrice(100) vs SetPrices({1: 100}) — different types, same (1, 100) result
• SetPrices({5: 100, ...}) vs SetPrices({10: 100, ...}) — different minimum amounts, same price

What was done?

Replaced minimum_purchase_amount_and_price().1.to_be_bytes() with bincode::encode_to_vec(price_per_token, bincode::config::standard()) — the full serialized pricing schedule is now included in the hash.

Not gated behind a platform version because SetPriceForDirectPurchase is a new v3.1 feature not yet used in production.

How Has This Been Tested?

4 new tests proving:

1. Different SetPrices with same minimum produce different action_ids
2. SinglePrice(100) vs SetPrices({1: 100}) produce different action_ids
3. Identical schedules produce the same action_id
4. None price vs Some price produce different action_ids

test result: ok. 4 passed; 0 failed

Breaking Changes

This changes action_id computation for SetPriceForDirectPurchase transitions. Since this feature has not been used in production, there are no backward compatibility concerns.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation if needed

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved action ID calculation to distinguish full pricing schedules (prevents schedule-swaps being treated as identical).

• Chores

  • Introduced a version flag for token pricing action ID behavior so platforms can opt between legacy and new calculation logic.

• Tests

  • Added unit tests covering cross-version and varied pricing-schedule scenarios to ensure consistent, distinct action IDs.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Added a versioned action-id calculation for TokenSetPriceForDirectPurchaseTransition: a public dispatcher calculate_action_id_with_fields routes to v0 (backward-compatible) or v1 (hashes full serialized TokenPricingSchedule). Platform-version flag and tests were added; unknown versions return an explicit error.

Changes

Cohort / File(s)	Summary
TokenSetPrice Transition Core packages/rs-dpp/src/state_transition/state_transitions/document/batch_transition/batched_transition/token_set_price_for_direct_purchase_transition/v0_methods.rs	Added pub fn calculate_action_id_with_fields(...) -> Result<Identifier, ProtocolError> implementing version dispatch. Introduced private calculate_action_id_with_fields_v0 and ..._v1 paths; v1 hashes full serialized TokenPricingSchedule (bincode).
V0 Trait impl / Call sites packages/rs-dpp/src/state_transition/state_transitions/document/batch_transition/batched_transition/token_set_price_for_direct_purchase_transition/v0/v0_methods.rs	Updated calculate_action_id to accept platform_version and delegate to the new versioned calculate_action_id_with_fields, changing call signature and control flow to use platform-versioned behavior.
Platform versioning packages/rs-platform-version/src/version/dpp_versions/dpp_token_versions/mod.rs, .../v1.rs, .../v2.rs, .../v12.rs	Added new field token_set_price_action_id_version: FeatureVersion to DPPTokenVersions; initialized to 0 in v1 and 1 in v2. Minor comment update in v12.rs. Review initialization and compatibility across versions.
Tests / Test helpers packages/rs-dpp/src/state_transition/.../token_set_price_for_direct_purchase_transition/... (tests in same module)	Added unit tests covering: distinct action_ids for different schedules despite same minimum, SinglePrice vs SetPrices differentiation, identical schedules matching, and cross-version (v0 vs v1) differences. Included helper make_transition for v0 tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hashed the whole schedule, not just a part,
So swaps and surprises no longer dart,
Versions now choose which path to take,
Tests nibble carrots for correctness' sake,
Hop, hop — identifiers behave! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: binding the SetPriceForDirectPurchase action_id to the full pricing schedule to prevent vote-swap vulnerabilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/set-price-action-id-bind-payload

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 93.45238% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.51%. Comparing base (5e7d433) to head (48447ca).
⚠️ Report is 1 commits behind head on v3.1-dev.

Files with missing lines	Patch %	Lines
...price_for_direct_purchase_transition/v0_methods.rs	93.16%	11 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           v3.1-dev    #3357      +/-   ##
============================================
+ Coverage     75.50%   75.51%   +0.01%     
============================================
  Files          2912     2912              
  Lines        281065   281224     +159     
============================================
+ Hits         212211   212363     +152     
- Misses        68854    68861       +7     

Components	Coverage Δ
dpp	63.52% <93.45%> (+0.08%)	⬆️
drive	81.64% <ø> (ø)
drive-abci	85.99% <ø> (ø)
sdk	31.25% <ø> (ø)
dapi-client	79.06% <ø> (ø)
platform-version	∅ <ø> (∅)
platform-value	58.46% <ø> (ø)
platform-wallet	60.40% <ø> (ø)
drive-proof-verifier	48.00% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/23179587428
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "94ddab4d078a45fa7a7bca7acb5121680abfb92ef0e020c1f6cf14e527c6fe90"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[QuantumExplorer]

Self Reviewed

[QuantumExplorer]

Approved